CVE-2026-35223
Description
An improper access check allows unauthorized access to com_config webservice endpoints.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Joomla! CMS 4.0.0–5.4.5 and 6.0.0–6.1.0 improperly check access on com_config webservice endpoints, allowing unauthorized configuration changes.
Vulnerability
An improper access check in the com_config webservice endpoints allows unauthorized access. Affected are Joomla! CMS versions 4.0.0 through 5.4.5 and 6.0.0 through 6.1.0 [1]. The vulnerability is classified as an incorrect access control flaw [1].
Exploitation
An attacker without the necessary administrative privileges can send crafted requests to the com_config webservice endpoints. The attacker must have network access to a vulnerable Joomla! instance; no prior authentication is required at the webservice level due to the missing check [1].
Impact
A successful attacker can read or modify site configuration via the webservice endpoints. This can lead to disclosure of sensitive settings and potential full site compromise, depending on the configuration data accessed or altered [1].
Mitigation
The vulnerability is fixed in Joomla! CMS versions 5.4.6 and 6.1.1, released on 2026-05-26 [1]. Users should upgrade to these or later versions. No workaround is documented in the available references.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.